On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via 
dev-security-policy wrote:
> Sure I can register a company and get an EV certificate for that company. 
> But can I do this completely anonymous like getting a DV cert?


> Nobody is arguing that EV certificates are perfect and everything is good
> if you use them.  But they do raise the bar for criminals.  And in my
> opinion, significantly.

Except criminals don't need them.  Raising the bar doesn't help if you don't
need to go over the bar.

> What I propose is for mozilla to not say "Fuck it, it's not working, just
> remove it!" but instead try to focus on finding a better UX solution to
> the problem that end users are not aware if a site that should have an EV
> certificate is not presenting one.

Why should Mozilla do all this work?  So far, all the evidence suggests that
EV certs do not do what their advocates say they do, and have a significant
cost to browsers (code complexity, administration of EV bits, etc) and
relying parties (need to learn what the EV UI means, what it does and
doesn't claim, etc).

Instead of Mozilla continuing to take on the burden of keeping this ship
afloat, why don't the parties that benefit from selling EV certs (ie CAs) do
the hard yards to figure out what works, in a rigorous and scientific way,
and then present the results of that research to the wider community?

- Matt

dev-security-policy mailing list

Reply via email to